- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Scheduling a saved search to run every 30 minutes,...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Scheduling a saved search to run every 30 minutes, how do I get results from the previous run instead of dispatching the search each time a user visits the page?
Hi All,
I have 3 saved searches set up to run every 30 mins. These searches run fine and the data gets created without issues.
I can then display the results on an external site by using the REST API/SDKs to grab the data.
What I am having a problem with though, is each time a user hits my page:
-saved search is dispatched
-have to wait until saved search job is "done" before displaying results to user
-once job is done, results are displayed
2 of the searches run fast and everything happens pretty quick.
The final search though, is very very large and takes some time to complete (usually 3 mins to fetch all results). And because of this, some data on my site is empty until this search is done.
I set up my saved searches to run every 30 mins. Is there a way to get the results from the last previous run instead of dispatching the saved search each time a user hits my page?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, loadjob are very useful when dashboards are broadly used.
You can load a job then running extra command within dashboard for optimization
| loadjob ...
| stats ...
loadjob
Description
Loads events or results of a previously completed search job. The artifacts to load are identified either by the search job id or a scheduled search name and the time range of the current search. If a savedsearch name is provided and multiple artifacts are found within that range the latest artifacts are loaded.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the searches are not scheduled, you can schedule them and if they are already scheduled , just have a look at the search artifact expiration conf
#*******
# dispatch search options
#*******
dispatch.ttl = <integer>[p]
* Indicates the time to live (in seconds) for the artifacts of the scheduled search, if no
actions are triggered.
* If the integer is followed by the letter 'p' Splunk interprets the ttl as a multiple of the
scheduled search's execution period (e.g. if the search is scheduled to run hourly and ttl is set to 2p
the ttl of the artifacts will be set to 2 hours).
* If an action is triggered Splunk changes the ttl to that action's ttl. If multiple actions are
triggered, Splunk applies the largest action ttl to the artifacts. To set the action's ttl, refer
to alert_actions.conf.spec.
* For more info on search's ttl please see limits.conf.spec [search] ttl
* Defaults to 2p (that is, 2 x the period of the scheduled search).
Other option is to use summary index.
Schedule your time consuming search run at regular interval and populate a summary index and use the summary index for final use
Other option is to Use search acceleration
http://docs.splunk.com/Documentation/Splunk/6.3.3/Report/Acceleratereports
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Its not the scheduling thats the issue.
Scheduling is fine. Dispatching job is fine. Fetching results is fine.
The problem is, its TOO SLOW. Like 40-50 seconds to fetch results for the 1 query I have.
Is there a way to get the "cached" results of a saved search or do I need to dispatch it each time a user wants that data?
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
